Set up 2-Step Verification

Protect your business with 2-Step Verification

Use 2-Step Verification (2SV) to protect accounts from unauthorized access. 2SV puts an extra barrier between your business and cybercriminals who try to steal usernames and passwords to access business data. Turning on 2SV is the single most important thing you can do to protect your business.

What is 2-Step Verification?

2SV requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code delivered to a device). It’s also called multifactor authentication (MFA) or 2-factor authentication (2FA).

Do small businesses need 2-Step Verification?

Cybercriminals are increasingly targeting small businesses. If a hacker gets into your administrator account, they can see your email, documents, spreadsheets, financial records, and more. A hacker might be able to steal or guess a password, but they can’t reproduce something only you have.

2-Step Verification methods

Security keys

Security keys are the most secure form of 2SV and protect against phishing threats. Users typically insert this physical key into a USB port on a computer. When prompted, a user touches the key.

With Android mobile devices, a user taps the security key on their Near Field Communication (NFC) enabled device. You can also find USB and Bluetooth® Low Energy (BLE) options for Android devices. Apple® mobile devices need Bluetooth-enabled security keys.

Google prompt

Users can set up their Android or Apple mobile devices to receive a sign-in prompt. When they sign in to their Google Account on their computer, they get a "Trying to sign in?" prompt on their mobile device. They simply confirm by tapping their mobile device.

Google Authenticator

Google Authenticator generates single-use 2SV codes on Android or Apple mobile devices. Users generate a verification code on their mobile device and, when prompted, enter it on their computer. They can enter it to sign in to a desktop, laptop, or even the mobile device itself.

Backup codes

If a user is away from their mobile device or works in a high-security area where they can't carry mobile devices, they can use a backup code for 2SV. Users can generate backup verification codes and print them ahead of time.

Text message or phone call

Google sends a 2SV code to mobile devices in a text message or voice call.

Enforcement options for 2-Step Verification

You can make 2SV optional or required.

Optional—You encourage users to use 2SV, but leave the decision up to them.

Mandatory—You require users to use 2SV, but they choose the method.

Mandatory security keys—You require users to use a security key as their 2SV method.

Best practices for 2-Step Verification

Enforce 2-Step Verification for administrators and key users

Make 2SV required for your administrator account and users who work with your most important business information.

The administrator account is the most powerful account because it can delete users, reset passwords, and access all your data.

Users who work with sensitive data such as financial records and employee information should also use 2SV.

Consider using security keys in your business

Because security keys are the strongest 2SV method, consider using them in your business.

Alternatives to security keys—Google prompt or the Google Authenticator app are good alternatives if you decide not to use security keys. Google prompt provides a better user experience than Google Authenticator, because users simply tap their device when prompted (instead of entering a verification code).

Text messages are discouraged—They rely on external carrier networks and might be intercepted.